Skip to content

Malcolm v6.2.0
Compare
Choose a tag to compare
@mmguero mmguero released this 03 Aug 20:31
· 2822 commits to main since this release
v6.2.0
28ee931
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Malcolm v6.2.0 is a feature release with a number of bug fixes and improvements. Of particular note is a major reworking of how a standalone instance of Malcolm (i.e., when not receiving traffic from a network sensor) analyzes "live" traffic. See the README for more information.

Note that the changes around idaholab#109 and idaholab#110 require changes to the files used by docker-compose. Please run ./scripts/auth_setup and ./scripts/install.py --configure to ensure the appropriate new environment variables are set.

v6.1.0...v6.2.0

  • Improvements

    • idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
      • give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
      • Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
      • include headers needed to build Zeek af_packet plugin in Zeek docker container
      • updated README to describe methods for capturing local traffic with standalone Malcolm
      • same images will be used for zeek and zeek-live containers, as well as for suricata and suricata-live containers, respectively
      • use the same scripts zeekdeploy.sh to configure and run Zeek on both Hedgehog and in the Malcolm zeek docker images
      • prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
    • Speed up build time by getting official Debian suricata packages from backports rather than building from source
    • Added Suricata rule update cron jobs
    • Added documentation (in the form of comments) to all docker-compose file variables

  • Bugs

    • Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
      • Clean up some Nul values that could appear in Zeek logs
      • improve mapping of BACnet actions
    • Fix idaholab#108: export PCAP not working from Arkime sessions without "Arkime Sessions"
    • Fix idaholab#110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
      • prompt in install.py --configure whether or not to expose this port to external hosts
    • Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters

Malcolm and Hedgehog Linux may be obtained by pulling or building the Docker images and/or building the ISO installer images as described in the documentation. Unofficial ISO installer images for Malcolm and Hedgehog Linux are not hosted on GitHub, but may be downloaded from https://malcolm.fyi/download/.

Assets 7
Loading